The short answer is: It depends. Ask anyone who has encountered the cost of trying to recover from a cyber attack and you will understand that when it comes to the expense of keeping data safe, a lot has to do with timing.
There are plenty of free and low-cost resources that can help the average individual or small business be proactive in building resilience. (Some common sense is a good place to start.) The real cost here is in the time required to ensure that the various security technologies are researched and then configured appropriately. The more technology you want to use, the more time, skill, and effort is required. With that said, the earlier on security measures are considered the cheaper they typically are to implement and sustain.
Although the average cost of cybersecurity can be difficult to identify, Gartner estimated the global spend on information security products and services in 2018 to be between 0.5 and 1.5% of global revenue—or $114 million. In 2019, the market is estimated to grow 8.7% to $124 billion.
The Ninth Annual Cost of Cybercrime Study put out earlier this year by Accenture and Ponemon Institute also analyzes the cost of cybercrime to help business leaders better target security investments and resources. They found that cybercrime is increasing, takes more time to resolve, and is more expensive for organizations. On the upside, they found that by improving cybersecurity protection, cybercrime costs can be reduced and new revenue opportunities realized.
Highlights from the Cost of Cybercrime Study:
- The expanding threat landscape and new business innovation is leading to an increase in cyber attacks—the average number of security breaches in the last year grew by 11 percent from 130 to 145.
- Organizations spend more than ever to deal with the costs and consequences of more sophisticated attacks—the average cost of cybercrime for an organization increased from $1.4 million to $13.0 million.
- Improving cybersecurity protection can decrease the cost of cybercrime and open up new revenue opportunities.
- By prioritizing technologies that improve cybersecurity protection, organizations can reduce the consequences of cybercrime and unlock future economic value as higher levels of trust encourage more business from customers.
Top Drivers for Security Spend
Gartner reports the top drivers for security spending to be (1) security risks; (2) business needs; (3) industry changes; and (4) privacy concerns. The potential threats businesses see the need to most defend against include denial-of-service attacks, malicious code, and malicious insiders. Knowing that these are the most costly types of attack should serve as valuable information to be used to prioritize the allocation of security resources. The problem is that many organizations view this information as interesting data, but still maintain the belief that such an attack won’t happen in their house.
What’s a better approach is to implement the tools, and take the steps necessary to provide better protection, earlier detection, and quicker recovery from cybercrime attacks. Considering it can take roughly 170 days to detect an attack, and an average of 45 days to resolve a cyber incident—the cost in man-hours, additional technology implementation, regain of consumer and stakeholder trust, etc. to recover can be dizzying (as shown above). The costs associated with a proactive defense, on the other hand, are a fraction of the cost of a compromise or data breach.
Raef Meeuwisse, CISM, CISA, author of Cybersecurity for Beginners, suggests organizations of all sizes use CCMI Institute’s Capability Maturity Model Integration to better understand where they are on their own journey to achieving effective cybersecurity and the cost involved.
How to Protect on a Budget
When it comes to security, an investment in proactive education or technology-based solutions can potentially save an organization a significant amount of money. And remember, investment in security is about loss prevention, risk mitigation, and savings, not necessarily profitability.
Ponemon Institute has also been thoughtful enough to analyze the costs of proactive measures for large enterprises. For cybersecurity awareness training programs, large enterprises spend roughly $4 million annually. This cost may seem high, but it is still well below the $13 million price tag of a data breach. Given that insider threat is mainly driven by negligence, cybersecurity awareness training provides an excellent payback in savings for an organization.
Technology solutions provide another payback option. When it comes to deterring insider threats, technology can prevent not just negligent insiders but also criminal insiders with malicious intents. According to Ponemon, the particular technology category that provides the greatest savings is User Behavior Analytics (UBA), which for surveyed enterprises cost $3.2 million annually. In comparison to the cost of an average data breach, an enterprise of any size saves millions. “No amount of investment can completely protect organizations from highly sophisticated cyber attacks, but improving and prioritizing your organization’s ability to disrupt the adversary… can significantly improve attack containment, and reduce the overall financial outlay and impact,” says Art Gilliland, executive vice president and general manager of Enterprise Products for Symantec.